* First thing which ever executes on the Wii is the “boot0? code, which is probably stored inside the hollywood in a mask rom.
* boot0 loads the first 0×2F pages (”boot1?) from flash, decrypts them with a fixed aes key, calculates a SHA-1 hash (with some obscure bugs specialities, I still couldn’t calculate it by hand), and checks that versus the expected values, read from some internal memory.
* If the hash bytes in the “internal memory” is all-zero, the hash check is skipped. This is probably used for production, and maybe for devkits.
* boot1 then searches a certain header in flash, where it extracts specific information where to find boot2.
* At that position, some certificate chain is checked, and finally the boot2 “tmd” is verified, and the hash extracted.
* The boot2 payload is load from flash, decrypted, and hash-checked (against the hash from the boot2 tmd).
* boot2 will then load the firmware, or whatever. That’s not my region of interest at the moment.